True Story: I recently met with a client who had a disgruntled ex-employee file a complaint with the Office of Civil Rights (the enforcement arm of the HIPAA Privacy and Security Rules) alleging violations of the HIPAA Privacy Rules by the client. The client had experienced an inadvertent disclosure of protected health information (PHI) more than a year prior to the ex-employee’s filing of the OCR complaint. The specific facts about the inadvertent disclosure of the PHI are not particularly unusual or sexy – an email containing the PHI of several patients was sent in error to the wrong email address. These types of inadvertent disclosures are bound to happen. Once the client learned of the email incident, it took what it considered appropriate action at the time and then filed away the incident to gather dust. Unfortunately, the ex-employee too had filed away the incident – only to blow off the dust and resurrect it in a complaint filed with the OCR. According to the OCR inquiry letter received by the client, the ex-employee alleged the client had not acted in compliance with HIPAA in its response to the email incident. The OCR inquiry letter also contained the usual “data request” portion which required the client to submit to the OCR copies of its written policies and procedures related to safeguarding PHI, breaches, notifications of breaches, and the like. So, the client not only faced defending its actions arising out of an incident from more than a year prior; the client had to also provide copies of its written policies and procedures. After filing its response to the OCR, the client now sits and waits for its actions and documents to be judged by the OCR. If the OCR judges the actions and/or documents of the client are not adequate or violated HIPAA, on to the next step: the levying of fines. But, regardless as to whether the client’s actions were HIPAA compliant, the client expended valuable resources (time and money) in drafting a response to the OCR and in gathering its documents.
Fines: “Fines schmines!” you say. “Cost of doing business!” you say. Right? Wrong.
Have you paid attention to the fines the OCR has doled out recently? Ranging from hundreds of thousands of dollars to millions of dollars. During March of 2016, the OCR levied more than $5 million dollars in one week! Levied for things ranging from lost laptops to IT system hacks. Depending on the facts and circumstances of the violation, fines can climb upwards of nearly $56,000 per violation. Do you want to be the physician or practice/facility administrator trying to split hairs with the OCR as to what constitutes “one” violation when an email is inadvertently sent to the wrong addressee and the email contains the PHI of 100 patients? If that’s “one” violation (and depending on the facts and circumstances), that may be a check for $56,000. Phew! If it’s 100 violations… well… you do the math.
That check to the OCR contains hard earned dollars that will not otherwise be available for distribution to the owners or employees of your practice or facility, or to pay any of your practice’s or facility’s anticipated expenses. Of course, that amount does not include the cost of hiring a health care attorney conversant in the HIPAA Privacy Rules. Such expertise is vital in any dealings with the OCR or when viewing your practice’s or facility’s compliance with HIPAA.
Let’s Test your HIPAA IQ – Query me the following: Would you know what steps are required to be taken upon the discovery of an inadvertent disclosure of PHI? Do you know what is involved with a HIPAA-complaint “risk assessment”? Do you know whether notices must be sent to patients following an inadvertent disclosure of PHI? If so, do you know what the requirements are as to the form and substance of such notices? Do you know the time frame in which a practice must investigate and take action following its knowledge of an inadvertent disclosure of PHI? When was the last time your employees received HIPAA initial training or re-fresher training?
If your answer to any of the above is “no” or “I don’t know”, you are subjecting your practice or facility to large fines – sticking your head in the sand will not solve the problem. Taking on the “it won’t happen to me” attitude will also not solve the problem. The reality is that OCR is ramping up enforcement actions and it is levying fines at will.
STUFF Happens – Humans are Human: Human error. It is rampant. No matter how much training you conduct and no matter how many policies and procedures you have in place – stuff happens. People make mistakes.
As such, it is prudent to understand what you need to do when a staff member in your practice or facility makes a mistake and sends that email to the wrong person. It is prudent to have in place appropriate safeguards to prevent human error – but the fact of the matter is that it is impossible to wave a wand and suddenly make every single employee perfect and without error.
Know what you are obligated to do when the PHI is inadvertently disclosed. Know whether a breach has occurred. Know what you have to do if a breach has occurred. Know what a patient notification letter is required to contain. Know the time frame within which a patient notice must be sent. Know whether you have to notify the OCR immediately or at the end of the year. Know whether you must notify the media.
As the FRAM man once said – “you can pay me now or pay me later”. When it comes to HIPAA compliance, a little prevention on the front end will certainly minimize or eliminate fines on the back end.
Janie M. Ratliff-Sweeney is a health care lawyer. You can reach Ms. Ratliff-Sweeney at (859) 344-1188 or [email protected].